Of the three segments of a remote access infrastructure, the remotello finds that the hardest part of building a remote access network is identifying the business function it has to fulfil. site and the Wan vie for the most attention. The central site, by comparison, seems staid and modest yet is often the most complex. It is here that today's mixture of PSTN, ISDN and leased lines are terminated; where tomorrow's xDSL and emerging cable modem links will be handled; where service levels to users are decided, and where security issues are managed.
Here, the remote links are bundled into Primary Rate Interface (PRI) circuits and fed into RACs (Remote Access Concentrators). These devices are largely proven and standard-based. They vary only in the number of ports, simultaneous connections and the occasional interface type supported.
Innovations are few, focusing on continued increases in port densities on the concentrator cards. Building a remote access network is more akin to making up a shopping list than being fitted for a tailor-made suit.
However, some technical difficulties remain. For example, Cisco's multi-chassis, multi-link PPP is currently the only available method of accepting ISDN calls across more than one RAC chassis. Calls are authenticated to a single master address that accepts or denies them irrespective of the physical port locations. The problem may become significant as two-port V.90 analog modems are sold off at attractive prices, along with second-line bargains from carriers. Any second 56Kbps call being tied together with multi-link PPP will not be opened if it cannot cross the chassis boundary.
But if most of the technological challenges can be met by ticking the appropriate boxes, the added value comes from advice on how the business challenges of remote access for a specific organisation are best met.
Tying the two together, an RAC chassis needs what Dan Thornton, senior consultant at Logical Networks, calls a road map to support emerging remote technologies, such as voice and fax over IP and, particularly, internet-enabled VPNs (Virtual Private Networks). "So much comes down to a realisation that there is more involved than simply making the connections," he said.
What is emerging is a number of fresh options for providing the link between the remote user and headquarters. For instance, business for BT's services grew 30 per cent last year, to a turnover of #75m. Most of this came from IP network deployment over both public and private networks.
BT also had two major wins with Bass and Whitbread.
"Buying a totally managed Wan service via an ISP is now feasible, and is being demanded by our customers," said Howard Hines, head of technical services at BT. "The user needs only the equipment associated with the desktop - modem, TA or router - to dial locally into the public service.
BT provides the connection into the corporate intranet off the public IP service."
An internet VPN is set up when users are connecting to the corporate Lan via an ISP. With an internet VPN, calls to the ISP will be charged at local rates and there will be no need for a bank of modems at the central site. This is because the ISP will terminate the modem call and switch the incoming data onto the internet.
When this happens, the ISP wraps up the data from the remote user's PC in IP packets to carry it to the corporate Lan. This process of encapsulation and delivery is known as tunnelling. The data being sent can also be encrypted at the desktop prior to setting off, shielding both the data itself and the network addresses in the stream from casual view.
Tunnelling into the Lan
When these tunnels are initiated by the remote user's equipment, rather than the ISP's PoP, the users can use any ISP to connect to the corporate Lan. Shiva's tunnelling technology, for instance, is manifested in its new LanRover VPN Gateway and VPN Client.
Eric Beatty, Shiva EMEA director of VPN business, cautioned: "VPNs are certainly a future choice, but they won't replace traditional remote access methods - hybrids will exist for years to come. This 'burn your modem' talk is rubbish."
But if VPNs are to take hold, the big questions are how to guarantee service quality and security over a public IP network. Many ISPs operate on high dial-up contention ratios with no guarantee that a call will be answered. Most ISPs refuse to accept responsibility for security issues, placing the onus on the customer to build a security umbrella.
"A managed service from an ISP may save on call charges and provide a measure of comfort in using proven methods, such as tunnelling protocols like PTPP, L2F or L2TP," said Logical's Thornton. "But if performance is paramount, then the internet cannot guarantee it - although new Quality of Service arrangements from ISPs are a step in this direction - and may therefore not be the appropriate solution for all users."
One way ahead is offered by BTN in conjunction with ISP U-Net. This partnership has launched a new managed service called MRAS.
With this service, the customer is given a bank of dial-up ports that can be accessed by an allocated 0845 local call number. The central site router is linked to U-Net via a leased line with ISDN backup. At the customer headquarters is a Cisco router for terminating the leased line and an integral or separate server firewall. Access rights are administered by the customer via an authentication database installed as part of MRAS.
"Apart from controlling access rights, the entire operational task of running the remote access network is effectively off-loaded to BTN," said John Murphy, network architect at BTN. "As such we can offer service-level undertakings for each closed user group routed through the U-Net infrastructure."
Although others, such as Cable & Wireless, offer managed IP services, BTN is the first specialist remote access system integrator - rather than a telecommunications company - to offer such a service.
Security is undoubtedly a burning issue, with a firewall residing either on a dedicated workstation or, in some cases, within the router or concentrator itself. But Richard Colebrook, business development director of Jaguar Communications, warned: "Some concentrators claim firewall capability, but I'd say that is the wrong place to put your firewall. You should treat security as a separate element."
Others feel that the performance of today's high-end routers is such that running a security platform in the same processor begins to look viable, depending on the size and shape of the network. "Some of the original Ascend products with integral security benchtested poorly, but no-one in the field voiced concerns," said BTN's Murphy. "They never get hammered enough in practice for the overhead to make a difference and, as traffic grows, a well-designed system will have sufficient flexibility to cope."
BT's Hines believes that, at the end of the day, it all comes down to needs versus risk: "The primary need is to ensure hackers cannot enter the corporate intranet; this can extend to encryption and ever deeper levels of access control - even to the servers themselves, with different domains for different types of user. We have that ourselves, with each engineer having a personal access profile. Ultimately, peace of mind is subjective."
GSM users make up an interesting and growing niche, notably for those who travel extensively and choose not to carry a plethora of adaptors or incur hotel phone bills. The cellular provider may offer to convert the GSM signal into an analog modem call - and suffer the 20-second connection times and other crosses modem users bear. Alternatively, the RAC can offer the appropriate interface to deal with the digital cellular signal, currently supporting 9.6Kbps throughput via a data card in a laptop.
Adapting to GSM
The solution is a neat but well-kept secret. The V.110 rate adaption scheme was created to pass data rates of up to 19.2Kbps over a 64Kbps digital link. While most RACs support V.120 packetising for higher rates, V.110 has a new lease of life supporting GSM's lowly throughput.
As Beatty explained: "Shiva has had significant contract wins in Europe through offering a GSM remote access solution, such as in Poland and Holland - in one case simply because we replaced a proprietary scheme with V.110 rate adaptive cards in the access switches at the central site."
It is always refreshing to watch some zig while others zag, and in the RAC world, the DSP (Digital Signal Processor) community is buzzing noisily in the ointment. While routing in the enterprise core demands high-capacity, high-functionality and high-investment chassis-based systems, an alternative for smaller networks is already making an impact in the US and will soon reach the UK.
Server-Based Communications (SBC) technology is targeted at organisations with 30 to 50 staff needing Lan-to-Lan connectivity over a Wan. In place of routing through a discrete standalone device, PC-based routing is carried out by software forming part of the OS on a Lan server. Digi International, for instance, has developed a new family of server boards offering up to 60 DSPs. Each onboard DSP is non-discriminating, handling an ISDN connection one moment, then analog PSTN or a leased line the next, with external lines coming straight into the card in the back of the server.
"DSPs do away with external concentrators and racks of modems and ISDN terminal adaptors," said David Allen, European managing director of Digi International. "Think of the impact in footprint and maintenance overheads for an SME or ISP. Replacing 60 devices with one card, with no compromise on service and at equal or lower cost per port connection, is a compelling argument for DSP technology. Such is the demand across all sectors in the US, we can hardly build them quick enough."
Huge growth predicted
US research organisation Aberdeen Group predicts that the SBC market - specifically remote PC-to-Lan access - will grow from 3.5 million ports shipped in 1997, to more than 27.5 million in 2003. Brad Baldwin, an analyst at IDC, forecasts steady growth in port shipments from 3.3 million in 1997 to 5.4 million by 2000.
Proprietary routers in SMEs that today link remote users, branch offices or departments are, believes Allen, "yesterday's technology". He reckons "software-based routers from the likes of Novell and Microsoft are the way forward".
This recipe for a DIY remote access server is not, adds Allen, a passing fad. "Not only are the biggest names in networking involved, but also analysts' opinions point to a dramatic shift towards SBC in the coming years as the products emerge and mature," he said.
Whatever the delivery method, the sleeping giant of remote access is IP telephony, according to Richard Benwell, Wan marketing manager at Cabletron.
"With half of voice-grade transatlantic phone traffic currently fax, the savings with a store-and-forward IP service with a local call at either end are considerable, so the business arguments will win out," he said.
"Voice is the next stage on, followed by VPNs when critical mass is reached - and all those services will need to be switched at either the ISP or the customer premises."
Whatever the details, the most important point is that remote access is now a core business tool in many organisations. As Jaguar's Colebrook said: "Technology is not the key any more; it is more a shopping list.
The trick is using remote access to deliver what the organisation needs.
Sitting across the table identifying the business issues and meeting business needs is the name of today's game."
REMOTE ACCESS: CHECKLIST
What will remote access into central resources achieve?
What volume of data is anticipated?
How many connections are needed?
What connection duration and connection patterns are involved?
What mixture (PSTN, ISDN, leased lines, possibly GSM) need support?
How many concurrent users are likely?
What applications will be involved?
Will the remote equipment be manageable?
What line speeds are appropriate?
What central site capacity is necessary?
What levels of security and authentication are needed?
Is dial-out capability needed?
What expansion options are available?